IMO the NSA should be split into 2 agencies.
One would be tasked with protecting the security of data, information, communications and networks of the United States government, its agencies and any entity deemed to be vital to national security. And this does include finding and fixing (or giving to vendors to fix) bugs in software being used by those entities it is tasked with protecting. And developing new protocols and algorithms and systems and hardware and software to protect the stuff it is tasked with protecting. And certifying software, hardware, algorithms, protocols and systems (developed in-house or externally) as being safe (or unsafe) for use in storing, manipulating, handling, transmitting or receiving the stuff it is tasked with protecting.
The other would be tasked with spying on threats to national security. Including monitoring communications, email, data, computers and software belonging to those threats. Yes that includes hacking into the computer of a bad guy who stole classified secrets or launched malware that compromised government systems.
This agency would have constraints placed on it so that it was only monitoring threats and not anyone else and so that it was not compromising global security in the course of carrying out its mission (e.g. it would be prohibited from trying to weaken the security of software/hardware/protocols/algorithms/etc in order to be able to spy on entities using those things)
Remember that when Truman created the NSA, a computer was a device that took up several rooms, there were only a handful in the entire world and only a small number of of people even knew what one was, let alone were able to use one. And the closest thing to digital communications networks were teleprinters. And the biggest threat to national security was a Soviet Tupolev Tu-95 bomber with a nuclear bomb underneath.
These days, computers are everywhere and being used for all sorts of things never imagined in the 50s. And the biggest threat to US national security is not a Russian bomber or missile but a terrorist with a suitcase bomb or hijacked airliner. Or a hacker from a foreign intelligence agency.